Talos Vulnerability Report

TALOS-2019-0782

May 8, 2019

CVE Number

CVE-2019-5021

Summary

Versions of the Official Alpine Linux Docker images (since v3.3) contain a NULL password for the root user. This vulnerability appears to be the result of a regression introduced in December t2015. Due to the nature of this issue, systems deployed using affected versions of the Alpine Linux container that utilize Linux PAM, or some other mechanism that uses the system shadow file as an authentication database, may accept a NULL password for the root user.

Unfortunately, later that same year, a commit was pushed to simplify the regression tests. This lead to logic that may have caught this regression being simplified, causing these tests to be incorrectly 'satisfied' if the root password was once again removed.

Eight days after this vulnerability was initially fixed, a commit was pushed which removed this 'disable root by default' flag from the 'edge' build properties file, reintroducing this issue to subsequent builds.

Since this time, the default build options appears to have been copied from this properties file, leading to this flag being missing from all tagged builds since December 2015 (>= 3.3).

After discussions with Alpine Linux, it was discovered that this issue was also reported in their Github prior to our report, but was not flagged as a security issue and thus remained unresolved until it was rediscovered and reported by Cisco.

Mitigation

The root account should be explicitly disabled in Docker images built using affected versions as a base. The likelihood of exploitation of this vulnerability is environment-dependent, as successful exploitation requires that an exposed service or application utilise Linux PAM, or some other mechanism which uses the system shadow file as an authentication database.

Timeline

2019-02-19 - Vendor Disclosure
2019-02-21 - Vendor Acknowledged
2019-03-01 - It was discovered that this issue was also reported and made public in their
Github prior
to our report, but was not flagged as a security issue and thus remained
unresolved until it was rediscovered and reported by Cisco.
2019-05-08 - Public Release